Hi Meta S. Brown,

You are asking for evidence backing two separate claims: that they have a weak understanding of (EU) data protection laws (Claim 1), or that they may be violating such laws (Claim 2).

For Claim 1, I take as evidence that:

1. once in the spotlight they modified their privacy policy in such a way that shows they do not understand how EU data protection laws are scoped. If Cambridge Analytica is “established” in the UK for data protection purposes, where people are resident can only provide them more rights, and certainly not be used to restrict their right of access.
2. they introduce additional restrictions to people who request their data through a third party website, even though the UK’s Information Commissioner Office’s Subject Access Request Code of Practice explicitly says that is OK to do so.
3. they (Nix and Tayler) have repeatedly gone on TV and more generally to the press comparing what they are doing to traditional personalisation in marketing (if you really ask, I will dig up the exact links, but it’s basically in the videos in the news section of Cambridge Analytica’s website). Customization of messages for political purposes based on profiling should be A-OK because customization of messages for marketing purposes based on profiling is A-OK. That’s not how EU data protection works. For this, see the Advice paper on special categories of personal data, written by the Article 29 Data Protection Working Party. See in particular the first paragraph of page 6: The term “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership” is to be understood that not only data which by its nature contains sensitive information is covered by this provision, but also data from which sensitive information with regard to an individual can be concluded. In other words, Cambridge Analytica’s techniques make all the data they are using in a political context fall under the “special category” (in Member States law, this is sometimes called “sensitive”). This in particular requires additional consent, which Cambridge Analytica most certainly dispenses of. (To be fair to Cambridge Analytica’s staff, a lot of marketing companies show just as poor understanding of the law).
4. they (Nix and Tayler) think they can market Cambridge Analytica itself in any way they would like. I take as evidence for this that once a critical news report is published they will go and publicly deny claims they have previously made themselves (in a marketing context where it actually served them). In other words, they have two conversations about their company: one for marketing purposes (we do all this great profiling) and one for compliance purposes (we don’t do this profiling because it would be illegal). There is an obligation in data protection law of providing transparent notice. Here the marketing discourse obscures the data protection discourse.

Concerning Claim 2: Obviously this is a strong claim to make, and I have by now received enough direct or indirect libel threats that I am staying quiet on this publicly. In the text, I say that they illegally restricted the right of access. This I discuss before in 1. and 2., and I stand by it. My analysis however hinges on the fact that UK’s and European data protection laws would apply, which is a question of interpretation that the courts will have to decide. If UK and European data protection laws do apply, Cambridge Analytica might have violated the law in the first place by profiling individuals without consent for political purposes (this is 3.), and in many other instances. To prove that UK establishment, one needs to collect a lot of evidence, which I have, and to submit complaint(s) to the UK ICO.